Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Drop.Small.cbx.1
Date discovered:22/12/2005
Type:Trojan
Subtype:Dropper
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:60.091 Bytes
MD5 checksum:552d8f1e645a6a53ccd531d5731edf4b
VDF version:6.33.00.53

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: PWS-JA
   •  Kaspersky: Trojan-Spy.Win32.Small.dg
   •  Bitdefender: Trojan.Spy.Small.W


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Registry modification
   • Steals information

 Files  It deletes the following file:
   • %PROGRAM FILES%\Common Files\Microsoft Shared\Web Folders\tmp.tmp



The following files are created:

– Non malicious file:
   • %TEMPDIR%\$_2341234.tmp

%TEMPDIR%\$_2341233.tmp This is a non malicious text file with the following content:
   • %stolen information%

%PROGRAM FILES%\Common Files\Microsoft Shared\Web Folders\ibm00001.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Spy.Smal.dg.16.C

%PROGRAM FILES%\Common Files\Microsoft Shared\Web Folders\ibm00001.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Spy.Smal.dg.16.D

%PROGRAM FILES%\Common Files\Microsoft Shared\Web Folders\ibm00002.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Drop.Sma.dg.16.C

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Shell"="%PROGRAM FILES%\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"



The following registry key is changed:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Old value:
   • "Shell"="explorer.exe"
   New value:
   • "Shell"="explorer.exe %empty spaces% %PROGRAM FILES%\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"

 Backdoor The following ports are opened:

– explorer.exe on a random TCP port in order to provide an HTTP server.
– explorer.exe on a random TCP port in order to provide a Socks 5 proxy server.


Contact server:
All of the following:
   • http://d**********team.com/gamma/x25.php
   • http://no**********bs.com/gamma/x25.php

As a result it may send some information. This is done via the HTTP POST method using a PHP script.


Sends information about:
    • Cached passwords
    • Created logfiles
    • IP address
    • Current malware status
    • Opened port
    • Collected information described in stealing section
    • Information about the Windows operating system

 Stealing It tries to steal the following information:
– Email account information obtained from the registry key: HKCU\Software\Microsoft\Internet Account Manager\Accounts

– Passwords from the following programs:
   • Outlook
   • Eudora
   • AK-Mail
   • Thunderbird
   • The Bat
   • Flash FXP
   • Total commander
   • Far

– A logging routine is started after a website is visited:
   • %any website that contains a login form%

– It captures:
    • Window information
    • Login information

 Injection –  It injects the following file into a process: %PROGRAM FILES%\Common Files\Microsoft Shared\Web Folders\ibm00001.dll

    Process name:
   • explorer.exe



–  It injects the following file into a process: %PROGRAM FILES%\Common Files\Microsoft Shared\Web Folders\ibm00002.dll

    Process name:
   • explorer.exe


 Miscellaneous Mutex:
It creates the following Mutex:
   • MSARCH_MUTEX_NAME

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Daniel Constantin on Tuesday, January 3, 2006
Description updated by Daniel Constantin on Tuesday, January 3, 2006

Back . . . .